Unit 3

Learning Outcomes Achieved

1. Identify & manage security risks as part of a software development project
2. Critically analyse development problems and determine appropriate methodologies, tools and techniques to solve them

Summary Post

This week, students were required to post a summary post, which integrated the forum discussion with the learning content of all 3 modules. In my summary post, I briefly discussed my original topic. Of particular importance, however, was my discussion regarding whether I agreed or not, with the improvements suggested by my classmates. I found that all the proposed solutions were viable, however, I needed to select the most viable approach and provide adequate justification. As a result, I completed additional research to find ways of measuring proposed solutions against each other, and discovered that simplicity can be used as a criteria for evaluation. Although simplicity is not a technical or intricate measure, it is a principle that can be applied, which would improve security as it intrinsically encourages minimizing attack surfaces. As a result, I was able to achieve learning outcome 2, because I learned about a criteria (simplicity) that can be used to critically analyze techniques for patching a vulnerability.

Collaborative Discussion Artefacts

Link to Summary Post

Codio Activities

Working through the buffer overflow exercise in C, provided insight into the role that modern operating systems play in guaranteeing safety. According to Watters (2019), if a buffer overflow is executed, sensitive information can be obtained. Wanting to replicate this behavior on my own hardware out of curiosity, I attempted to compile and run the C code given in the exercise on a Linux-based virtual machine. The virtual machine did not allow the application to run completely and instead displayed segfaults. After some research, I discovered a tool known as checksec which explains which security features the virtual machine has (Klein, 2011). The results of checksec showed that Linux itself has multiple features which prevent attacks through mechanisms such as buffer overflow.

Learning this gave me an idea for improving the security of the application due in Unit 11. Using a containerized application could further improve security as long as a secure image is used and kept up-to-date. As my team agreed on deploying the application to Heroku, I investigated how deployment is completed on Heroku. Deploying Docker images is supported by Heroku, which provides an additional level of flexibility in terms of security. Using my newfound knowledge of operating system security, I therefore set out to look for what the most secure Docker images are for python. Verner & Henry (2019) suggest using a lightweight image such as Alpine, because less software bundled with the image leads to less risk of vulnerabilities. However, the authors note that, in the case of Alpine, the image must be kept up-to-date, as security patches are not released for older Alpine images.

Overall, this exercise helped me achieve learning outcome 1, because I learned how containerization could improve or impair the security of a software development project.

References

Klein, T. (2011) checksec.sh. Available from: https://www.trapkit.de/tools/checksec/ [Accessed 29 September 2021].

Watters, B. (2019) Stack-Based Buffer Overflow Attacks: Explained and Examples https://www.rapid7.com/blog/post/2019/02/19/stack-based-buffer-overflow-attacks-what-you-need-to-know/ [Accessed 29 September 2021].